Chess.com has disclosed an information breach after menace actors gained unauthorized entry to a third-party file switch utility utilized by the platform.
The incident occurred in June 2025, with the menace actors sustaining entry to the stated utility for 2 weeks, between June 5 and June 18.
Chess.com found the breach on June 19, 2025, and launched an investigation to find out its scope and affect.
“On June 19, 2025, Chess.com turned conscious of potential unauthorized entry to knowledge saved in a third-party file switch utility utilized by Chess.com,” reads the discover despatched to impacted customers.
“Upon turning into conscious of the incident, we began an investigation, retained main specialists, notified federal legislation enforcement, and commenced taking measures to deal with the incident.”
In line with the investigation, the incident impacts solely a really small share of the platform’s large 100 million consumer base, estimated to be simply over 4,500 customers.
Chess.com is among the world’s largest on-line chess portals, working as a match internet hosting platform and likewise a social networking web site for lovers of the sport.
The platform has emphasised that the incident solely affected the unnamed third-party app, whereas its personal infrastructure and member accounts remained unaffected.
Nonetheless, the information that will have been accessed contains names and different personally identifiable info (PII) that has not been included within the pattern notices Chess.com shared with the authorities.
Chess.com famous that no monetary info has been uncovered, and it has no proof that the stolen knowledge has been publicly disclosed or misused but.
The platform states that it has taken further measures to safe its methods and notified legislation enforcement accordingly. It additionally presents impacted members 1-2 years of free id theft and credit score monitoring providers.
Letter recipients are given till December 3, 2025, to enroll within the supplied providers, however it’s endorsed to take action as quickly as doable.
In November 2023, Chess.com suffered one other cyber incident, the place over 800,000 consumer data had been scraped from its web site by exploiting an API flaw and later posted on a hacking discussion board.
The knowledge uncovered in that case included, in accordance with HaveIBeenPwned, e-mail addresses, full names, usernames, and geographic areas.
BleepingComputer has contacted Chess.com to ask about what kinds of knowledge have been uncovered and likewise the title of the third-party that was breached, however we’re nonetheless ready for a response.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration developments.
